Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach Ravi Hosabettu (Univ. of Utah) Mandayam Srivas (SRI International)

Slides:

Advertisements

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Compositional methods Scaling up to large systems.

Advertisements

1 Minimalist proof assistants Interactions of technology and methodology in formal system level verification Ken McMillan Cadence Berkeley Labs.

Functional Decompositions for Hardware Verification With a few speculations on formal methods for embedded systems Ken McMillan.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

1 Verification of Infinite State Systems by Compositional Model Checking Ken McMillan Cadence Berkeley Labs.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

What are Formal Verification Methods Mathematically based languages, techniques and tools for specifying and verifying systems Language – Clear unambiguous.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

LIFE CYCLE MODELS FORMAL TRANSFORMATION

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.

A Proof of Correctness of a Processor Implementing Tomasulo’s Algorithm without a Reorder Buffer Ravi Hosabettu (Univ. of Utah) Ganesh Gopalakrishnan (Univ.

AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.

Verification of Hierarchical Cache Coherence Protocols for Future Processors Student: Xiaofang Chen Advisor: Ganesh Gopalakrishnan.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.

Microarchitecture Verification by Compositional Model Checking Ken McMillan Ranjit Jhala Cadence Berkeley Labs / UC Berkeley.

Specifying Java Thread Semantics Using a Uniform Memory Model Jason Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.

Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England.

Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.

Counterexample Guided Invariant Discovery for Parameterized Cache Coherence Verification Sudhindra Pandav Konrad Slind Ganesh Gopalakrishnan.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI

CS & ECE Departments Carnegie Mellon University Modeling and Verifying Systems using CLU Logic Randal E. Bryant Shuvendu Lahiri Sanjit A. Seshia.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by SRC Contract.

Slide 0 FMCAD 2004 A Simple Method for Parameterized Verification of Cache Coherence Protocols Ching-Tsun Chou Phanindra K. Mannava Seungjoon Park Microprocessor.

Introduction to Software Testing

Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

1 Introduction to Software Engineering Lecture 1.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.

Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.

© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.

Recursive Algorithms &

Structuring instruction-sets with higher-order functions Byron Cook Advisor: John Launchbury.

1 Checking Interaction Consistency in MARMOT Component Refinements Yunja Choi School of Electrical Engineering and Computer Science Kyungpook National.

Safe RTL Annotations for Low Power Microprocessor Design Vinod Viswanath Department of Electrical and Computer Engineering University of Texas at Austin.

Formal Methods.

Verification & Validation By: Amir Masoud Gharehbaghi

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

ECE/CS 584: Verification of Embedded Computing Systems Model Checking Timed Automata Sayan Mitra Lecture 09.

1/24 An Introduction to PVS Charngki PSWLAB An Introduction to PVS Judy Crow, Sam Owre, John Rushby, Natarajan Shankar, Mandayam Srivas Computer.

Introduction to Software Engineering 1. Software Engineering Failures – Complexity – Change 2. What is Software Engineering? – Using engineering approaches.

Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.

Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.

Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.

Opeoluwa Matthews, Jesse Bingham, Daniel Sorin

Elementary Microarchitecture Algebra

Chapter ? Quality Assessment

Michael D. Jones, Ganesh Gopalakrishnan

Designing Software for Ease of Extension and Contraction

Yogesh Mahajan, Sharad Malik Princeton University

Property Directed Reachability with Word-Level Abstraction

IS 2935: Developing Secure Systems

Applied Discrete Mathematics Week 9: Integer Properties

Program correctness Model-checking CTL

Automatic Abstraction of Microprocessors for Verification

Presentation transcript:

Proof of Correctness of a Processor with Reorder Buffer using the Completion Functions Approach Ravi Hosabettu (Univ. of Utah) Mandayam Srivas (SRI International) Ganesh Gopalakrishnan (Univ. of Utah)

2 Motivation Pipelined processor verification –Increasingly complex designs –Need for formal verification Theorem provers –Focus on the relevant aspects only To verify large, complex designs: –Automation –Decomposition

3 Problem Definition Need a verification methodology that –Is amenable to decomposition –Uses decision procedures Solution: Completion Functions Approach

4 What are Completion Functions? Desired effect of retiring an unfinished instruction in an atomic fashion ab c RF C_b

5 Abstraction Function Need to define an abstraction function Flushing the pipeline Our idea: Define abstraction function as a Composition of Completion Functions Impl. Machine Step Spec. Machine Step

6 Main Features Decomposition into verification conditions Generated systematically & discharged often automatically RF ab c C_bC_aC_c L_ab Abs. fn = C_a o C_b o C_c One VC is: C_a == L_ab o C_b

7 Main Features Continued Incremental verification No explicit intermediate abstraction Methodology implemented in PVS Three examples (CAV98) –DLX –Dual issue DLX –Out-of-order execution example

8 New Issues for OOO ab c RF DB RTT RB RF EU

9 Completion Functions Approach for OOO Instructions in a few possible states –Parameterized completion function Recursive abstraction function Proof decomposition is based on “instruction-state transitions” Liveness issues addressed

10 Outline of the Presentation The implementation model Proof of correctness –Correctness criterion –Liveness proof Related work and conclusions

11 Processor Model RF RTT RB EU1EUm DB

12 Proof of Correctness Specifying the completion function Correctness criterion & abstraction function Decomposing the proof –“Instruction-state transition” diagram –Discharging the verification conditions Correctness of the feedback logic Invariants needed

13 The Completion Function RF RB EU1 DB rbi Action_issued Action_dispatched Action_executed Action_writtenback

14 Correctness Criterion Abstraction I_step A_step/  impl_st

15 Recursive Abstraction Function RB tailhead rbi RF Abs. fn = Complete_till(head)

16 General Verification Condition I D W W D E E W I I D E q next(q) RF Same

17 Instruction-state Transitions IEW Disp? Not Disp? Exec? Not Exec? Wback? Not Wback?Not Retire? Retire? D

18 Establishing the General Verification Condition I D W W D E E W I I D E q next(q) Action_executed Same effect on RF Action_dispatched

19 Overall Proof Decomposition IEW D RF N ISA specification

20 Decomposition Summary Decomposes into ten obligations –Certain invariants needed –Correctness of the feedback logic Case analysis strategy in simplifying

21 Feedback Logic Feedback logic correctness: A = B 12i Feedback logic RF C_1 C_2 Read A B

22 Invariants Needed Feedback logic invariant Exclusiveness & exhaustiveness Instruction-state properties

23 PVS Proof Statistics Proof strategies –Induction obligations: Very similar strategy –Rewrite rules & other obligations: Automatic –Invariants: No uniform strategy Manual effort –1 week of planning & discussions –12 person days of “first time” effort 1050 seconds on 167MHz UltraSparc

24 Liveness Properties Two liveness properties –Eventually the processor gets flushed –Eventually a new instruction is executed Again based on “Instruction-state transition” diagram

25 Liveness Proof IDEW Disp? Not Disp? Exec? Not Exec? Wback? Not Wback?Not Retire? Retire? Scheduler

26 Related Work Jones, Skakkebaek & Dill - FMCAD98 Pnueli & Arons - FMCAD98 Sawada & Hunt - CAV98 McMillan - CAV98

27 Conclusions Well suited for verifying a processor with reorder buffer Proved the correctness of Tomasulo’s algorithm with no reorder buffer: CHARME99

28 Work in Progress A processor with exceptions & speculative execution –Substantial progress made Mechanizing the liveness proofs Bring the methodology closer to practice –Bridging the model gap –More automated decision procedures –Integration into the design process